b'Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\n\n                    General\xc2\xa0\xc2\xa0\n\n\n\n   Independent Evaluation Report\n         of FMC\xe2\x80\x99s FY 2011\n      Implementation of FISMA\n\n              A12-02\n\n\n\n\n           January 2012\n\n\nFEDERAL MARITIME COMMISSION \n\n\x0c                               \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0FEDERAL\xc2\xa0MARITIME\xc2\xa0COMMISSION\n    \xc2\xa0                                   Washington,\xc2\xa0DC\xc2\xa0\xc2\xa020573\xc2\xa0\n\n\n\n                                        January 17, 2012\n\nOffice\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n\n\nDear Chairman Lidinsky and Commissioners:\n\n\nThe Office of Inspector General submits its report on the status of information security at the\nFederal Maritime Commission for FY 2011. The OIG relied on the expertise of information\nSecurity evaluators from Your Internal Controls LLC for assistance on this mandated review.\n\nThe objectives of the independent evaluation of the FMC information security program were to\nevaluate the FMC\xe2\x80\x99s security posture by assessing compliance with the Federal Information\nSecurity Management Act (FISMA) and related information security policies, procedures,\nstandards, and guidelines. The scope of this task included the FMC Network, and applications\nhousing service contracts (SERVCON) tariff location filings (FORM-1) and FMC license\napplications (FORM-18). The OIG also assessed management actions to implement the OIG\nrecommendations and documented the status of prior recommendations.\n\nThe FY 2011 report contains 12 subject matter findings and 20 recommendations for corrective\nactions. Many of the OIG recommendations have already been implemented by management.\nOnly on one recommendation does the OIG and management continue to disagree (see\nrecommendation 12). The OIG, together with the audit follow up official, will work to resolve\nthe differences.\n\nThe OIG thanks FMC staff, especially the Office of Information Technology, for its assistance in\nhelping us to meet our report objectives.\n\n\xc2\xa0\nRespectfully Submitted,\n\n\n\n\n/Adam R. Trzeciak/\nInspector General\n\x0c                                                               TABLE OF CONTENTS\n\nPURPOSE ....................................................................................................................................... 2\nBACKGROUND ............................................................................................................................ 2\nSCOPE AND METHODOLOGY .................................................................................................. 3\nCURRENT YEAR FINDINGS ...................................................................................................... 3\n   01 Patches and Service Packs ................................................................................................................... 4\n\n   02 Audit Settings....................................................................................................................................... 6\n\n   03 Data Center .......................................................................................................................................... 8\n\n   04 Contingency Plan ................................................................................................................................. 9\n\n   05 Incident Response .............................................................................................................................. 12\n\n   06 HSPD-12 ............................................................................................................................................ 14\n\n   07 Privacy ............................................................................................................................................... 15\n\n   08 Access Rights ..................................................................................................................................... 18\n\n   09 Security Awareness ............................................................................................................................ 19\n\n   10 Password Complexity Settings........................................................................................................... 21\n\n   11 Certification and Accreditation .......................................................................................................... 24\n\n   12 Memorandums of Understanding (MOU).......................................................................................... 26\n\nPRIOR YEAR FINDINGS ........................................................................................................... 28\n\x0c                                             PURPOSE\n\n\nYour Internal Controls (contractor), on behalf of the Federal Maritime Commission (FMC),\nOffice of Inspector General, conducted an independent evaluation of the quality and compliance\nof the FMC information security program with applicable federal computer security laws and\nregulations. Your Internal Controls\xe2\x80\x99 evaluation focused on FMC\xe2\x80\x99s information security program\nas required by the Federal Information Security Management Act (FISMA).\n\nThis report was prepared by Your Internal Controls with guidance by the Office of Inspector\nGeneral. The vulnerabilities discussed in this report should be included in FMC\xe2\x80\x99s Fiscal Year\n(FY) 2011 report to the Office of Management and Budget (OMB) and the Congress.\n\n\n                                          BACKGROUND\n\nOn December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002\n(Public Law 107-347). Title III of the E-Government Act of 2002, commonly referred to as\nFISMA, focuses on improving oversight of federal information security programs and facilitating\nprogress in correcting agency information security weaknesses. FISMA requires federal agencies\nto develop, document and implement an agency-wide information security program that provides\nsecurity for the information and information systems that support the operations and assets of the\nagency. This program includes providing security for information systems provided or managed\nby another agency, contractor or other source. FISMA assigns specific responsibilities to agency\nheads and Inspectors General (IGs). It is supported by security policy promulgated through the\nOffice of Management and Budget (OMB), and risk-based standards and guidelines published in\nthe National Institute of Standards and Technology (NIST), Special Publication (SP) series.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification or destruction of information and information systems.\nFISMA directs federal agencies to report annually to the OMB Director, Comptroller General\nand selected congressional committees, on the adequacy and effectiveness of agency information\nsecurity policies, procedures and practices, and compliance with FISMA. In addition, FISMA\nrequires agencies to have an annual independent evaluation performed on their information\nsecurity programs and practices and to report the evaluation results to OMB. FISMA states that\nthe independent evaluation is to be performed by the agency IG or an independent external\nauditor as determined by the IG. Implementing adequate information security controls is\nessential to ensuring an organization can effectively meet its mission.\n\n\n\n\n                                                2\n\x0c                                 SCOPE AND METHODOLOGY\n\nThe scope of our testing focused on the FMC General Support Systems (GSS) and Major\nApplications (MA). We conducted our testing through inquiry of FMC personnel, observation of\nactivities, inspection of relevant documentation and the performance of technical security testing.\nSome examples of our inquiries with FMC management and personnel included, but were not\nlimited to, reviewing system security plans, access controls, risk assessments and configuration\nmanagement processes.\n\n\n                                   CURRENT YEAR FINDINGS\n\nDuring our FY 2011 evaluation, we noted that FMC has taken steps to improve the information\nsecurity program. For example, a complete system inventory is now in place and a master listing\nof issues is maintained for reporting and correction. This listing of issues includes both the\ncurrent year and all issues identified in prior years. On the other hand, security threats and\nvulnerabilities continue to increase and become more sophisticated. To help mitigate these\nthreats, we\xe2\x80\x99ve identified 12 areas where FMC could improve its security posture.\n\n\n                                MANAGEMENT RESPONSES\n\nAt the conclusion of each finding, we have attached management\xe2\x80\x99s response to the OIG\nrecommendation(s). In many cases, the OIG has closed the recommendation based on\nmanagement\xe2\x80\x99s response and OIG follow up. In other instances, the OIG was unable to close the\nrecommendation, either due to management\xe2\x80\x99s assertion that the recommendation would be\nimplemented in the future, or, we could not verify actions asserted by management without\ndetailed follow up and/or additional fieldwork. The OIG will perform all necessary verification\nprocesses in the FY 2012 FISMA cycle.\n\n\n\n\n                                                3\n\x0c                       01. Patches and Service Packs\nCondition:\n\nThe FMC Office of Information Technology (OIT) uses a software product called Numara,\nwhich is used primarily to identify patches and service packs that are out of date, and classifies\nthe patches as critical, important, etc. We obtained the latest Numara report, which was run on\n9/1/11. The report indicated that servers supporting the FMC applications were missing the\nfollowing patches and service packs:\n\n   \xe2\x80\xa2   3,404 patches (1,158 of which were identified as critical and 1,741 as important by the\n       software)\n   \xe2\x80\xa2   1,158 service packs\n\nThe software product (Numara) did not identify specific definitions for what constitutes a critical\nor important patch, however, the number of patches and service packs missing is the primary\nfocus of this issue.\n\nCriteria:\n\nFMC Patch Management Policy, OIT-P12, states the following:\n\nSection 1. Purpose. \xe2\x80\x9cThe purpose of this policy is to establish responsibilities and procedures\nfor updating FMC systems with newest patches and security updates. The purpose of this policy\nis to ensure that user accounts exist only for authorized users and FMC OIT staff is required to\nregularly identify, disable and purge inactive accounts in a timely and coordinated manner.\xe2\x80\x9d\n\nSection 5. Patch Management. \xe2\x80\x9cOIT will, on an ongoing basis, identify, evaluate and implement\npatches applicable to the systems for which it is responsible.\xe2\x80\x9d\n\nThe NIST guides used as criteria address the patching process. As patches are deployed, this may\ninadvertently change some of the configuration settings on a server (e.g. audit and password\nsettings); therefore it is essential to review patches prior to deploying them. It is also essential to\nreview the configuration settings once the patches have been deployed to ensure that an effective\nsecurity posture is maintained.\n\nNIST 800-123 Guide to General Server Security, Section 4.1 states \xe2\x80\x9cOnce an operating\nsystem (OS) is installed, applying needed patches or upgrades to correct for known\nvulnerabilities is essential. Any known vulnerabilities an OS has should be corrected before\nusing it to host a server or otherwise exposing it to untrusted users. To adequately detect and\ncorrect these vulnerabilities, server administrators should do the following:\n\n            o Create, document, and implement a patching process.\n            o Identify vulnerabilities and applicable patches.\n\n\n                                                  4\n\x0c            o Mitigate vulnerabilities temporarily if needed and if feasible (until patches are\n              available, tested, and installed).\n            o Install permanent fixes (patches, upgrades, etc.)\n\nSection 3.3 states \xe2\x80\x9cOrganizations should develop standardized secure configurations for widely\nused Operating Systems and server software. This will provide recommendations to server and\nnetwork administrators on how to configure their systems securely and ensure consistency and\ncompliance with the organizational security policy. Because it only takes one insecurely\nconfigured host to compromise a network, organizations with a significant number of hosts are\nespecially encouraged to apply this recommendation.\xe2\x80\x9d\n\nCause:\n\nThe Office of Information Technology indicated that it lacks the budget and staffing resources to\ncomply.\n\nRisk:\n\nPatches are deployed to close those areas subject to exploitation. Without the latest patches being\ndeployed, identified vulnerabilities may be exploited through known attack venues. Further,\nthere is the potential for remote code execution through exploitation of buffer overflows (e.g.\nsending a request for information to the network an inordinate amount of times, ultimately\ncrashing the server and making it inoperable), and other vulnerabilities.\n\nRecommendation(s):\n\n   1. From the report generated via the Numara software product, identify which patches and\n      service packs can be deployed without harming the network. Further, upon completion,\n      review the configuration settings of the servers to ensure security settings have not\n      changed. (The OIG estimates the required level of effort for this recommendation to be\n      40 hours).\n\nManagement Response:\n\nFMC\xe2\x80\x99s OIT department has deployed the patches as recommended and has reviewed the security\nsettings of the servers to ensure the server security settings have not been altered. A copy of the\nnew report has been provided. Further, OIT has instituted automatic updates for the desktop\nenvironment to ensure timely patch deployment.\n\nOIG Comments to Management Response:\n\nOIG obtained the latest patch and service pack report via Numara and noted the following:\n\n   \xe2\x80\xa2     41 missing patches\n   \xe2\x80\xa2     22 missing service packs\n\n\n                                                5\n\x0cThe number of patches and services packs missing are within the reasonable limits and this\nappears to have been resolved at this time. The OIG agrees with management response and this\nissue is considered closed.\n\n\n                                 02. Audit Settings\nCondition:\n\nWe reviewed the audit settings for the servers supporting the FMC applications and noted the\nfollowing:\n\n   1. There is no evidence that audit logs are reviewed by IT personnel. As a result, without\n      reviews of audit logs, there will be no actions taken to mitigate those events generated on\n      an audit log. The audit logs identify those actions which are deemed adverse to the\n      agency. An example of an adverse action would be an unauthorized user attempting to\n      access and modify data.\n   2. The audit logs are set to storage space that is not large enough to meet the needs of the\n      agency. Further, once the audit logs reach space capacity, they are set to overwrite,\n      meaning that older logs will be deleted as new logs are generated. The current size\n      settings are as follows:\n\n            o Application audit log \xe2\x80\x93 9,984KB\n            o Security Log \xe2\x80\x93 179,584KB\n            o System log \xe2\x80\x93 9,984KB\n\nCriteria:\n\nNIST 800-123, Guide to General Server Security, section 4.2.3 states \xe2\x80\x9cAuditing should also\nbe enabled as appropriate to monitor attempts to access protected resources.\xe2\x80\x9d\n\nNIST 800-53, Recommended Security Controls for Federal Information Systems and\nOrganizations, page F-25 (AU-4) states \xe2\x80\x9cThe organization allocates audit record storage\ncapacity and configures auditing to reduce the likelihood of such capacity being exceeded.\xe2\x80\x9d\n\nNIST 800-53 Recommended Security Controls for Federal Information Systems and\nOrganizations, page F-25 (AU-4) states \xe2\x80\x9ca) Reviews and analyzes information system audit\nrecords [Assignment: organization-defined frequency] for indications of inappropriate or unusual\nactivity, and reports findings to designated organizational officials; and b) Adjusts the level of\naudit review, analysis, and reporting within the information system when there is a change in risk\nto organizational operations, organizational assets, individuals, other organizations, or the Nation\nbased on law enforcement information, intelligence information, or other credible sources of\ninformation.\xe2\x80\x9d\n\n\n\n\n                                                 6\n\x0cCause:\n\nThe cause is primarily a lack of personnel, budget, or time constraints to adequately monitor the\nnetwork.\n\nRisk:\n\nWithout appropriate reviews of the audit logs, IT personnel may not be aware of any adverse\nactions taken against the FMC network. This may lead to data corruption or other violations\nagainst the agency. Furthermore, without appropriate space requirements for the audit logs, the\naudit logs generated may either stop working (because the log filled up) or overwrite the existing\nlogs, making the audit logs irrelevant. The storage space requirements should be changed\nimmediately, as there should be no cause for these settings.\n\nRecommendation(s):\n\n  2. Ensure that audit logs are reviewed monthly and necessary actions are taken to respond to\n     those audit events generated as a result of adverse actions. (The OIG estimates the required\n     level of effort for this recommendation to be 5 hours per month.)\n\n  3. Set the audit logs to a size that can sustain the logs being generated. Also, as the logs fill\n     up, they should be moved to another storage medium so that current logs are maintained.\n     (The OIG estimates the required level of effort for this recommendation to be 4 hours.)\n\nManagement Response:\n\nFMC in following the recommendations of the Office of the Inspector General has increased the\nsize of the audit logs to 1024 megabytes and has implemented a monthly log retention and\nreview process whereby the server logs are reviewed on the first Monday of every month. Once\nreviewed, the logs will be moved to a designated log folder in the OIT shared area.\n\nOIG Comments to Management Response:\n\nOIG will retest this issue during the next FISMA cycle, as evidence for management response\nhas not been verified or tested.\n\n\n\n\n                                                7\n\x0c                                   03. Data Center\nCondition:\n\nWe obtained a list of users with access to the Data Center. There were a total of 28 badges with\naccess to the Data Center. The badges were assigned as follows:\n\n   \xe2\x80\xa2     10 \xe2\x80\x93 OIT\n   \xe2\x80\xa2     6 \xe2\x80\x93 Janitorial, Building and Property services\n   \xe2\x80\xa2     12 badges to non-OIT personnel. Some of those badges were issued to contractors.\n\nCriteria:\n\nNIST 800-53 Recommended Security Controls for Federal Information Systems and\nOrganizations page F-78 (PE-3) states \xe2\x80\x9cThe organization enforces physical access\nauthorizations to the information system independent of the physical access controls for the\nfacility.\xe2\x80\x9d Enhancement Supplemental Guidance: \xe2\x80\x9cThis control enhancement applies to server\nrooms, media storage areas, communications centers, or any other areas within an organizational\nfacility containing large concentrations of information system components. The intent is to\nprovide additional physical security for those areas where the organization may be more\nvulnerable due to the concentration of information system components. Security requirements for\nfacilities containing organizational information systems that process, store, or transmit Sensitive\nCompartmented Information (SCI) are consistent with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, standards, and guidance. See also PS-3, security requirements\nfor personnel access to SCI.\xe2\x80\x9d\n\nCause:\n\nThe primary cause is the lack of knowledge of access requirements with respect to accessing the\nData Center.\n\nRisk:\n\nOnly select IT personnel should have access to the Data Center. Providing access to individuals\nwithout a bona fide need increases monitoring costs as well as the likelihood that non-OIT users\ncan sabotage server and data controls. Simply put, the more people that have access to sensitive\nareas and systems, the more that can go wrong. Access should be based on job requirements.\n\nRecommendation(s):\n\n   4. Ensure only IT personnel and others with a job-related need have access to the Data\n      Center by reviewing non-OIT personnel access badges and disabling as appropriate. (The\n      OIG estimates the required level of effort for this recommendation to be 3 hours.)\n\n\n\n\n                                                8\n\x0cManagement Response:\n\nFMC in following the recommendations of the Office of the Inspector General has reduced the\nnumber of data center access badges from 28 to 15. A copy of the current individuals with data\ncenter access is provided. Further, OIT will review access to these spaces on a regular basis.\n\nOIG Comments to Management Response:\n\nThe OIG agrees with management\xe2\x80\x99s response. An updated listing of data center access has been\nobtained and this issue has been corrected. This issue is considered closed.\n\n\n                              04. Contingency Plan\nCondition:\n\nWe obtained the latest Contingency Plans for the network GSS and SERVCON and noted the\nfollowing:\n\n   1. The latest Contingency Plans had not been signed or finalized.\n   2. The latest Contingency Plans were completed in March 2009 and are due for review and\n      updates (if applicable).\n   3. There have been no formalized tests of a simulated disaster contingency to be prepared in\n      the event of a disaster.\n   4. There are no software products deployed to operate the network in the event of a disaster.\n      For example, if the network becomes inoperable, the FMC customers will not be able to\n      access their data (e.g. via SERVCON and email).\n\n   Disaster Recovery Planning and Implementation\n\nOn May 31, 2011, the FMC headquarters building and surrounding area experienced a massive\npower outage that lasted over two days. Such events, although rare, are generally addressed in\nagency Continuity of Operations Plans (COOP) and Disaster Recovery Plans (DRP), with the\nintent of enabling agencies to continue essential functions for staff and stakeholders alike should\nevents occur.\n\nBeginning in FY 2006, the OIG issued security evaluation findings critical of the agency\xe2\x80\x99s\nCOOP and DRP. For example, our 2006 evaluation noted that the agency lacked plans for\nspecific incidents, to include power outages and hardware failures. In November 2007, the OIG\nreported that the FMC\xe2\x80\x99s emergency procedures documentation did not address IT recovery in\nsufficient detail and that it omitted the FMC network entirely. We warned that the FMC was\nlikely to experience delays in recovering IT operations after an emergency. In our 2009\nevaluation, we noted that the FMC lacked an adequate contingency planning program, to include\npolicies, procedures, testing and documentation.\n\n\n\n                                                9\n\x0cIn the FY 2010 evaluation, we noted that the SERVCON contingency plan was not tested, nor\nwere there any contingency planning policies and procedures to identify the frequency and types\nof tests to perform. The OIG warned of likely delays when recovering from a system failure due\nto incomplete and untested contingency planning.\n\nIn FY 2010, management informed the OIG that it took part in the Federal Emergency\nManagement Agency\xe2\x80\x99s (FEMA) Eagle Horizon continuity mandatory exercise for all federal\nexecutive branch departments and agencies. This test evaluated the accessibility and\nfunctionality of the FMC-18, e-mail, Registered Person Index (RPI), CADRS\xe2\x80\x99 database,\nMSWord and Adobe, in the event of a disruption. However, it now appears that the connections\ntested were, in fact, the headquarters datacenter, and not those at the COOP site.\n\nThe power outage impacted critical business operations because the agency could not rely on its\nCOOP site and its disaster recovery plan to take over for the temporarily non-functioning FMC\nservers. Commission staff was without email, phones and internet access for over 48 hours.\nFurther, critical online business applications, including SERVCON were down. Importantly, no\nFMC applications were accessible at the COOP site. Only one server \xe2\x80\x93 Form FMC-1 \xe2\x80\x93 was in\nplace but it was not connected. No other servers were in place. 1\n\nAt the same time, the agency was spending approximately $24,000 per year over three years to\nmaintain the COOP site in the event of an emergency, even though, unbeknownst to senior\nmanagement, it was not functional.2 When management discovered the situation in June of\n2011, it cut funding at the site until such time that a DRP could be prepared and implemented.\n\nMoving forward, the agency has begun discussions with Health and Human Services (HHS)\nregarding the agency\xe2\x80\x99s disaster recovery plan as a first step in establishing a comprehensive\nagency wide COOP plan. Specifically the agency is exploring \xe2\x80\x9ccontracting\xe2\x80\x9d its data replication\nneeds to facilities within HHS. For about $79,000 per year, the agency can purchase a full\ncontingency back up. Once up and running, the agency plans to transition its data center to NIH,\neliminating the need to maintain a data center at the FMC. The agency would then rely on\nsecurity provided by HHS, reducing the agency\xe2\x80\x99s costs for many security requirements. The\nagency is also considering a scaled-down version whereby it could replicate data from its file\nserver, email and SERVCON application for about $27,000 annually. The OIG believes that\nthese approaches have merit and should be seriously considered as a viable and cost effective\nsolution to addressing OIT\xe2\x80\x99s contingency needs and FISMA requirements.\n\n\n\n\n1\n  The FMC battery backups at its headquarters datacenter worked as designed. All servers were provided power to\nsafely shut down without any data loss. However, these battery backups were not designed to power servers to keep\nthem running. Consequently, the agency temporarily lost all net-based services.\n\n2\n  The amount spent by the agency over this three year period to rent space for FMC servers that were never installed\nrepresents funds put to better use by the FMC totaling $72,000.\n\n\n                                                        10\n\x0cCriteria:\n\nNIST 800-34 Contingency Planning for Federal Information Systems 3.6 states \xe2\x80\x9cTo be\neffective, the plan must be maintained in a ready state that accurately reflects system\nrequirements,      procedures, organizational   structure   and     policies.   During     the\nOperation/Maintenance phase of the Software Development Life Cycle (SDLC), information\nsystems undergo frequent changes because of shifting business needs, technology upgrades, or\nnew internal or external policies. Therefore, it is essential that the Information System\nContingency Plan (ISCP) be reviewed and updated regularly as part of the organization\xe2\x80\x99s change\nmanagement process to ensure that new information is documented and contingency measures\nare revised if required.\n\nNIST 800-34 Contingency Planning for Federal Information Systems 3.5 states \xe2\x80\x9cPlan\nTesting, Training, and Exercises (TT&E)\xe2\x80\xa6 An ISCP should be maintained in a state of\nreadiness, which includes having personnel trained to fulfill their roles and responsibilities\nwithin the plan, having plans exercised to validate their content, and having systems and system\ncomponents tested to ensure their operability in the environment specified in the ISCP. In\naddition, as indicated in Step 4 (Assess Security Controls) of the RMF, the effectiveness of the\ninformation system controls should be assessed by using the procedures documented in NIST SP\n800-53A, Guide for Assessing the Security Controls in Federal Information Systems. NIST SP\n800-84, Guide to Test, Training and Exercise Programs for Information Technology Plans and\nCapabilities, provides guidelines on designing, developing, conducting, and evaluating test,\ntraining, and exercise (TT&E) events so that organizations can improve their ability to prepare\nfor, respond to, manage, and recover from adverse events. While the majority of TT&E activities\noccur during the Operations/Maintenance phase, initial TT&E events should be conducted during\nthe Implementation/Assessment phase of the SDLC to validate ISCP recovery procedures.\xe2\x80\x9d\n\n\xe2\x80\x9cOrganizations should conduct TT&E events periodically, following organizational or system\nchanges, or the issuance of new TT&E guidance, or as otherwise needed. Execution of TT&E\nevents assists organizations in determining the plan\xe2\x80\x99s effectiveness, and that all personnel know\nwhat their roles are in the conduct of each information system plan. TT&E event schedules are\noften dictated in part by organizational requirements. For example, NIST SP 800-53 includes a\ncontrol (CP-4) for federal organizations to conduct exercises or tests for their systems\xe2\x80\x99\ncontingency plans around an organization-defined frequency. Section 3.5.4 provides guidance on\nthe type of TT&E identified for each FIPS 199 impact level.\xe2\x80\x9d\n\n\xe2\x80\x9cFor each TT&E activity conducted, results are documented in an after-action report, and lessons\nlearned corrective actions are captured for updating information in the ISCP.\xe2\x80\x9d The NIST SP\n800-84 provides detailed information on how to plan and conduct TT&E activities.\n\nCause:\n\nThe lack of personnel, budget, or time to adequately review and update the Contingency Plans,\nas well as deploy software products to support the network in the event of a disaster.\n\n\n\n\n                                               11\n\x0cRisk:\n\nIn the event of a disaster, the FMC will be unprepared, as occurred in June 2011. Although data\nis being backed up and stored off-site, this provides for data reconstitution only and not\nnecessarily ongoing live administration. The current setting for FMC did not allow for\ncontinuous connectivity in the event of a disaster.\n\nRecommendation(s):\n\n   5. Ensure that the Contingency Plan has been reviewed and signed off as final. Also, ensure\n      that OIT performs a contingency test, training, and exercise in accordance with NIST\n      800-34. The estimated level of effort for this recommendation is 40 hours.\n\nManagement Response:\n\nFMC acknowledges finding # 04. FMC has met with HHS regarding the agency\xe2\x80\x99s disaster\nrecovery plan as a first step in establishing a comprehensive agency-wide contingency plan.\nFMC anticipates implementing and testing this recommendation by the fourth quarter of FY12.\n\nOIG Comments to Management Response:\n\nOIG has reviewed management\xe2\x80\x99s response; however this response does not address all of the\nissues contained within the condition. For example, the Contingency Plan needs to be finalized\nand signed which was not reflected in management\xe2\x80\x99s response. This will be tested again in the\nnext FISMA cycle, however this issue is relatively straightforward to correct and this should be\nremediated sooner than the anticipated timeframe.\n\n\n                            05. Incident Response\nCondition:\n\nIncident response is concerned with identifying, managing and preventing those events that are\nattacks on an agency network. We inquired about incident response with IT personnel. It was\nrevealed that there is no incident response training for IT personnel to assist in identifying\nharmful incidents. There is also no incident response reporting mechanisms in place to identify,\ndocument, report and manage those security related incidents that arise.\n\nCriteria:\n\nNIST 800-53 Recommended Security Controls for Federal Information Systems and\nOrganizations page F-63 (IR-5) states \xe2\x80\x9cThe organization tracks and documents information\nsystem security incidents. Supplemental Guidance: Documenting information system security\nincidents includes, for example, maintaining records about each incident, the status of the\nincident, and other pertinent information necessary for forensics, evaluating incident details,\ntrends, and handling. Incident information can be obtained from a variety of sources including,\n\n                                              12\n\x0cfor example, incident reports, incident response teams, audit monitoring, network monitoring,\nphysical access monitoring, and user/administrator reports.\xe2\x80\x9d\n\nNIST 800-53 Recommended Security Controls for Federal Information Systems and\nOrganizations page F-61 (IR-2) states \xe2\x80\x9c(1) The organization incorporates simulated events into\nincident response training to facilitate effective response by personnel in crisis situations. (2) The\norganization employs automated mechanisms to provide a more thorough and realistic training\nenvironment.\xe2\x80\x9d\n\nCause:\n\nOIT indicated that it lacks the budget and staffing resources to comply.\n\nRisk:\n\nIn the event of an incident, the FMC will likely be unprepared to isolate an exploited weakness\nfrom the FMC network because incident response training has not been provided to OIT\npersonnel that manage the network.\n\nRecommendation(s):\n\n   6. Ensure that IT personnel are properly trained with regard to incident response prevention,\n      detection, and correction. The estimated level of effort for this recommendation is 40\n      hours per year for each OIT employee with incident response responsibilities.\n   7. The FMC should implement formal incident response procedures so that in the event of\n      an incident, the appropriate responses could be taken to minimize any adverse impact to\n      the agency. (The OIG estimates the required level of effort for this recommendation to be\n      20 hours.).\n\nManagement Response:\n\nFMC\xe2\x80\x99s information technology personnel are required to take and pass an additional security\nawareness test designed for IT professionals annually. FMC IT personnel are also required to\nannually review and be familiar with Managing Directive 2011 \xe2\x80\x93 2 Incident Response, and FMC\nform 93 Initial Security Incident Report at the conclusion of the annual security awareness test\ndesigned for IT professionals.\n\nOIG Comments to Management Response:\n\nOIG agrees with management response with regard to recommendation number 7; however\nmanagement has not addressed the issue of specific IT training related to Incident Response\nhandling. This recommendation will remain open.\n\n\n\n\n                                                 13\n\x0c                                    06. HSPD-12\nCondition:\n\nIt was revealed that the FMC has not implemented the Homeland Security Presidential Directive\n(HSPD)-12 requirements across the agency. The FMC has provided agency employees\n(excluding contractors) with the PIV card but has not fully implemented all requirements.\n\nCriteria:\n\nNIST 800-116 Recommendation for the Use of PIV Credentials in Physical Access Control\nSystems (PACS) section 2.2 states \xe2\x80\x9cHSPD-12 mandates the establishment of a government-\nwide standard for identity credentials to improve physical security in federally-controlled\nfacilities. To that end, HSPD-12 requires all government employees and contractors be issued a\nnew identity credential based on the FIPS 201 on PIV. Following FIPS 201, this credential is\nreferred to herein as a PIV Card.\xe2\x80\x9d This section also states: \xe2\x80\x9cRecommendation: The OMB\nMemorandum [M-08-01] requires that the credential issuance be accomplished by October 27,\n2008 (or by the date specified in the implementation plan mutually agreed-upon by the agency\nand OMB). Agency implementation plans should be written to accomplish the goals of\nHSPD-12.\n\n\xe2\x80\x9cHSPD-12 explicitly requires the use of PIV Cards \xe2\x80\x9cin gaining physical access to federally\ncontrolled facilities and logical access to federally controlled information systems.\xe2\x80\x9d [HSPD-12]\nThe PIV Card employs microprocessor-based smart card technology, and is designed to be\ncounterfeit-resistant, tamper-resistant, and interoperable across Federal government facilities.\nAdditionally, the FIPS 201 standards suite defines the authentication mechanisms as transactions\nbetween a PIV Card and a relying party. FIPS 201 does not, however, elaborate on the uses and\napplications of the PIV Card. This document provides guidelines on the uses of PIV Cards with\nPhysical Access Control Systems (PACS).\xe2\x80\x9d\n\nCause:\n\nA lack of personnel and/or the budget to provide for agency-wide implementation of the HSPD-\n12 requirements.\n\nRisk:\n\nThe HSPD-12 requirements ensure that authentication is stronger, thus decreasing unauthorized\naccess into the network. Without implementation of the HSPD-12, the FMC deploys two-factor\nauthentication only and is not complemented by the PIV cards. This increases the risk of\nunauthorized access to data and systems.\n\nRecommendation(s):\n\n   8. Implement HSPD-12 requirements in accordance with laws and regulations. (The OIG\n      estimates the required level of effort for this recommendation to be 40 hours.)\n                                              14\n\x0cManagement Response:\n\nFMC has begun the process of implementing HSPD-12 logical access. FMC has purchased and\nreceived 260 SCR331 USB Smart Card Readers along with the Windows Active Client software\nand user licenses. FMC\xe2\x80\x99s OIT department has created an Active Directory Group Policy Object\nthat requires smart card login. Through the testing phase, FMC has encountered several\nlimitations and is requesting further guidance from OMB. These limitations include BlackBerry\naccess, telework access technology and costs, and procedures for lost or stolen PIV cards. FMC\nhas not been issuing PIV ID cards in-house due to costs and limited personnel, which limits the\nability to create new, temporary or replacement cards for employees. FMC has reached out to\nthe Federal CIO council for further guidance and was informed that as of yet, there are no\nFederal agencies that were successful in fully implementing HSPD-12 due to the same issues\nexperienced by FMC. If these issues, which appear to be affecting all agencies, are resolved,\nFMC anticipates implementation of the logical access portion of HSPD-12 during the 4th quarter\nof FY12.\n\nOIG Comments to Management Response:\n\nOIG will retest this issue in the next FISMA cycle, as management plans to implement the OIG\nrecommendation in FY 2012.\n\n\n                                      07. Privacy\nCondition:\n\nThrough inquiry with and information provided to us by various agency personnel, we learned\nthat the agency is not identifying:\n\n   o Systems with Personally Identifiable Information (PII) and Information in Identifiable\n     Form (IIF).\n   o Systems in need a Privacy Impact Assessment (PIA).\n   o Which PIAs need to be posted on the FMC website?\n   o Information that needs to be redacted prior to posting of the PIA on the FMC website.\n\nWe found that three PIAs were required on the agency\xe2\x80\x99s major applications: GSS network, FMC\nDatabase (FMCDB), and SERVCON. Only the GSS Network and SERVCON had PIAs,\nhowever they are outdated. The FMCDB does not currently have a PIA. There are no PIAs\nposted on the FMC website.\n\nCriteria:\n\nPersonally Identifiable Information (PII) can be used to distinguish or trace an individual\'s\nidentity, such as their name, social security number, biometric records, etc., alone, or when\ncombined with other personal or identifying information which is linked or linkable to a specific\n\n\n                                               15\n\x0cindividual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc. (OMB Memorandum 07-\n16).\n\nTo distinguish an individual is to identify an individual\xe2\x80\x99s (NIST 800-122 section 2.1).\n\n   \xe2\x80\xa2   Name, such as full name, maiden name, mother\xe2\x80\x99s maiden name, or alias\n   \xe2\x80\xa2   Personal identification number, such as Social Security Number (SSN), passport number,\n       driver\xe2\x80\x99s license number, taxpayer identification number, patient identification number,\n       and financial account or credit card number\n   \xe2\x80\xa2   Address information, such as street address or email address\n   \xe2\x80\xa2   Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)\n       address or other host-specific persistent static identifier that consistently links to a\n       particular person or small, well-defined group of people\n   \xe2\x80\xa2   Telephone numbers, including mobile, business, and personal numbers\n   \xe2\x80\xa2   Personal characteristics, including photographic image (especially of face or other\n       distinguishing characteristic), x-rays, fingerprints, or other biometric image or template\n       data (e.g., retina scans, voice signature, facial geometry)\n   \xe2\x80\xa2   Information identifying personally owned property, such as vehicle registration or\n       identification number, and title numbers and related information\n   \xe2\x80\xa2   Information about an individual that is linked or linkable to one of the above (e.g., date of\n       birth, place of birth, race, religion, weight, activities, or employment, medical, education,\n       or financial information).\n\nThe E-Government Act requires PIAs to be performed and updated as necessary where a system\nchange creates new privacy risks. For example:\n\n   \xe2\x80\xa2   Conversions - when converting paper-based records to electronic systems;\n   \xe2\x80\xa2   Anonymous to Non-Anonymous - when functions applied to an existing information\n       collection change anonymous information into information in identifiable form;\n   \xe2\x80\xa2   Significant System Management Changes - when new uses of an existing IT system,\n       including application of new technologies, significantly change how information in\n       identifiable form is managed in the system:\n   \xe2\x80\xa2   Significant Merging - when agencies adopt or alter business processes so that government\n       databases holding information in identifiable form are merged, centralized, matched with\n       other databases or otherwise significantly manipulated:\n   \xe2\x80\xa2   New Public Access - when user-authenticating technology (e.g., password, digital\n       certificate, biometric) is newly applied to an electronic information system accessed by\n       members of the public;\n   \xe2\x80\xa2   Commercial Sources - when agencies systematically incorporate into existing\n       information systems databases of information in identifiable form purchased or obtained\n       from commercial or public sources. (Merely querying such a source on an ad hoc basis\n       using existing technology does not trigger the PIA requirement);\n   \xe2\x80\xa2   Internal Flow or Collection - when alteration of a business process results in significant\n       new uses or disclosures of information or incorporation into the system of additional\n       items of information in identifiable form:\n\n                                                16\n\x0c   \xe2\x80\xa2     Alteration in Character of Data - when new information in identifiable form added to a\n         collection raises the risks to personal privacy (for example, the addition of health or\n         financial information)\n\nOMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-\nGovernment Act of 2002, section II.B.2, states that:\n\n         \xe2\x80\x9cThe confidentiality of PII should be protected based on its risk level. This section\n         outlines factors for determining the PII confidentiality impact level for a particular\n         instance of PII, which is distinct from the confidentiality impact level described in\n         Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n         Categorization of Federal Information and Information Systems. The PII confidentiality\n         impact level takes into account additional PII considerations and should be used to\n         determine if additional protections should be implemented. The PII confidentiality impact\n         level\xe2\x80\x94low, moderate, or high\xe2\x80\x94indicates the potential harm that could result to the\n         subject individuals and/or the organization if the PII were inappropriately accessed, used,\n         or disclosed. Once the PII confidentiality impact level is selected, it should be used to\n         supplement the provisional confidentiality impact level, which is determined from\n         information and system categorization processes outlined in FIPS 199 and NIST Special\n         Publication (SP) 800-60, Volumes 1 and 2: Guide for Mapping Types of Information and\n         Information Systems to Security Categories.\xe2\x80\x9d\n\nCause:\n\nThis is the result of there being a lack of personnel to prepare and manage the privacy\nrequirements, and a lack of clear understanding of when a PIA is required.\n\nRecommendation:\n\n   9. A system inventory should be maintained and from this listing, the following should be\n      performed:\n\n            o Identify which of those systems have PII and IIF. The estimated level of effort for\n              this recommendation is 4 hours.\n            o Identify which of those systems need a PIA. The estimated level of effort for this\n              recommendation is 2 hours.\n            o Identify which of those PIAs need to be posted on the FMC website. The\n              estimated level of effort for this recommendation is 1 hour.\n            o Identify information that needs to be redacted prior to posting of the PIA on the\n              FMC website. The estimated level of effort for this recommendation is 4 hours.\n\nManagement Response:\n\nFMC concurs with the findings of the Office of the Inspector General and will employ the\nrecommendations above by the 3rd quarter of FY12.\n\n\n                                                 17\n\x0cOIG Comments to Management Response:\n\nOIG has reviewed management response and will be tested in the next FISMA cycle.\n\n\n                                  08. Access Rights\nCondition:\n\nWe reviewed the complexity settings (e.g. date of last logon) of the FMC servers as well as\ninquired with various IT personnel. The following was noted:\n\n   \xe2\x80\xa2   There are no reviews of user access to ensure that those users who are terminated,\n       transferred, or promoted have their access rights reviewed and updated accordingly.\n   \xe2\x80\xa2   Six users that are external to the agency have access to FMC data and their activity has\n       not been reviewed.\n\n                   o Three of the six users have not logged on since 2008 and their access was\n                     not deactivated.\n                   o One of the six has not logged in for more than six months and also has not\n                     been deactivated.\n                   o Two users have logged on within three months.\n\nCriteria:\n\nFMC Inactive Account Policy OIT-P04 states the following:\n\nSection 1 states \xe2\x80\x9cPurpose. The purpose of this policy is to ensure that user accounts exist only for\nauthorized users and FMC OIT staff is required to regularly identify, disable, and purge inactive\naccounts in a timely and coordinated manner.\xe2\x80\x9d\n\nSection 5 states \xe2\x80\x9cPolicy. a. On a monthly basis, the OIT Network Engineer (NE) will identify\nand immediately disable inactive Windows LAN accounts.\xe2\x80\x9d\n\nSection 6 states \xe2\x80\x9cResponsibilities. a. OIT. OIT is responsible for: (i) Disabling inactive accounts,\n(ii) Distributing information received regarding inactive accounts to the OIT Network Engineer,\n(iii) Providing an email to office/bureau heads, COTRs, and the CIO identifying disabled\naccounts with necessary next steps.\xe2\x80\x9d\n\nNIST 800-53 Recommended Security Controls for Federal Information Systems and\nOrganizations page F-4 (AC-2) states \xe2\x80\x9cThe information system automatically disables inactive\naccounts after [Assignment: organization-defined time period]. (4) The information system\nautomatically audits account creation, modification, disabling, and termination actions and\nnotifies, as required, appropriate individuals. (5) The organization: (a) Requires that users log out\nwhen [Assignment: organization defined time-period of expected inactivity and/or description of\nwhen to log out].\xe2\x80\x9d\n\n                                                 18\n\x0cCause:\n\nCheck out processes weaknesses and lax monitoring procedures regarding account changes\nneeded for those employees changing positions.\n\nRisk:\n\nWithout appropriate reviews of the user access rights, users will inadvertently possess rights that\nexceed their authorizations. This creates a situation whereby exploitation can occur.\nFurthermore, if a user has not logged on after a period of inactivity and still has an active\naccount, this can also be used for exploitation by another user.\n\nRecommendation(s):\n\n   10. Ensure that IT incorporates the agency\xe2\x80\x99s checkout process for terminated employees into\n       its access procedures and updates access permissions for those employees who are\n       promoted or move (i.e., change assignments) within the agency. This will ensure that IT\n       changes the user access settings appropriately. IT should also review access rights on a\n       quarterly basis and work with other Commission bureaus and offices to identify and\n       assess non-FMC personnel access needs for other users such as those users that are\n       external to the agency. (The estimated level of effort for this recommendation is 3 hours\n       every time a person\xe2\x80\x99s position has changed, e.g. terminated, promoted, etc.).\n\nManagement Response:\n\nFMC currently employs a checkout procedure for terminated employees. FMC will implement a\nquarterly access rights review for all internal and external accounts, which access the FMC\nnetwork. FMC will implement an employee access rights review anytime an employee is\npromoted, transferred, or terminated. Further, the user accounts, which are external to the\nagency, identified during the audit have since been deactivated.\n\nOIG Comments to Management Response:\n\nOIG has not reviewed subsequent actions to ascertain if this finding has been resolved. This will\nbe tested in the next FISMA cycle.\n\n\n                            09. Security Awareness\nCondition:\n\nReview of the security awareness training records we identified eight of approximately 120 staff\n(7 percent) employees that have not taken the required Security Awareness Training. Further, the\nagency is not enforcing its recently issued Management Directive requiring loss of network\nprivileges when training isn\xe2\x80\x99t taken.\n\n\n                                                19\n\x0cCriteria:\n\nFMC Management Directive 2011-4 IT Security for Personnel, section 5 states \xe2\x80\x9cIf an\nemployee or contractor does not take the required training within the requested timeframe, upon\ntheir next login to the network, they will be automatically redirected to the training class and\naccess to the network will not be granted until the training has been successfully completed.\xe2\x80\x9d\nAlso stated was \xe2\x80\x9cEach employee and contractor shall receive a mandatory annual cyber security\nawareness briefing, which may be delivered in an auditorium lecture, videotape, or CBT format.\xe2\x80\x9d\n\nNIST 800-50 Building an Information Technology Security Awareness and Training\nProgram page ES-3 states \xe2\x80\x9cFederal agencies and organizations cannot protect the\nconfidentiality, integrity, and availability of information in today\xe2\x80\x99s highly networked systems\nenvironment without ensuring that all people involved in using and managing IT:\n\n   \xe2\x80\xa2     Understand their roles and responsibilities related to the organizational mission;\n   \xe2\x80\xa2     Understand the organization\xe2\x80\x99s IT security policy, procedures, and practices; and\n   \xe2\x80\xa2     Have at least adequate knowledge of the various management, operational, and technical\n         controls required and available to protect the IT resources for which they are responsible.\n\nIn the IT community, it is generally understood by the IT security professional community that\npeople are one of the weakest links in attempts to secure systems and networks. The \xe2\x80\x9cpeople\nfactor\xe2\x80\x9d - not technology - is key to providing an adequate and appropriate level of security. If\npeople are the key, but are also a weak link, more and better attention must be paid to this\n\xe2\x80\x9casset.\xe2\x80\x9d A robust and enterprise wide awareness and training program is paramount to ensuring\nthat people understand their IT security responsibilities, organizational policies, and how to\nproperly use and protect the IT resources entrusted to them.\xe2\x80\x9d\n\nCause:\n\nThe cause is primarily a lack of importance perceived by agency personnel and management\nsupport. Security Awareness training must be perceived as important and mandatory. Training\nmust not be perceived as an option.\n\nRisk:\n\nWithout appropriate security awareness training, employees may conduct agency business in\nways that are not conducive to best security practices. This could result in lost or shared\npasswords or other vulnerabilities. Personnel need to be made aware of their responsibilities with\ngovernment data and the impact on the agency as a whole if data is compromised.\n\nRecommendation(s):\n\n   11. Ensure that all agency personnel take Security Awareness Training every year in\n       accordance with NIST 800-50 and comply with IT Security for Personnel MD 2011-4.\n       (The OIG estimates the level of effort to implement this recommendation at 10 hours to\n\n\n                                                 20\n\x0c        update the Security Awareness training each year and 2 hours for each employee to take\n        the training).\n\nManagement Response:\n\nAll Commission personnel have taken Security Awareness Training this year, and will be\nrequired to continue to do so in the future, in accordance with FMC Management Directive\n2011-4 IT Security for Personnel.\n\nOIG Comments to Management Response:\n\nThe OIG has obtained evidence that indicated that the remaining personnel have now taken the\nsecurity awareness training. This issue is considered closed.\n\n\n                   10. Password Complexity Settings\nCondition:\n\nWe reviewed various password complexity settings on servers supporting the FMC applications\nand noted the following:\n\n    \xe2\x80\xa2    Password complexity was set to \xe2\x80\x9cdisabled\xe2\x80\x9d and not set for agency users. This means that\n         agency users are not required to have passwords that meet complexity requirements such\n         as alpha-numeric, special character, maximum length and password reuse.\n\nCriteria:\n\nFMC Password Policy OIT-P01 states the following:\n\nSection 1, Purpose, states \xe2\x80\x9cThe purpose of this policy is to establish a standard for creating\nstrong passwords, protecting passwords and frequently changing passwords.\xe2\x80\x9d\n\nSection 2 states \xe2\x80\x9cThis policy applies to all FMC Systems and Applications and includes all FMC\nemployees, contractors, and others who are responsible for an account on an FMC system or\nnetwork.\xe2\x80\x9d\n\nSection 5, Policy, states:\n\n        a. All user-level passwords (e.g. email, desktop, etc.) must be changed at least every 90\n           days.\n        b. All user passwords must be changed anytime a system or application manager leaves\n           the FMC or has a change in duties where privileged access is no longer needed.\n        c. Passwords should be communicated to intended recipients in a secure manner.\n        d. The administrator will assign a temporary password at account creation or when staff\n           computer upgrades occur. Forced change will occur at first login.\n\n                                                21\n\x0c      e. All passwords will be stored in a secured manner.\n      f. Batch jobs and scripts must not store/contain passwords in plain text.\n      g. All accounts will lock after 4 consecutive failed login attempts.\n      h. Remote access into the FMC infrastructure must occur in a secure manner and in\n         accordance with the OIT Policy on Remote Access.\n      i. When placing systems in production, default passwords must be changed during\n         installation and prior to system certification. This includes hardware devices and\n         software applications.\n      j. All user-level and system-level passwords must conform to the strong password\n         described in the definitions section.\n      k. FMC users should not use the same password for FMC accounts as for other non-FMC\n         accounts.\xe2\x80\x9d\n\nNIST 800-123 Guide to General Server Security, section 4.2.2 states \xe2\x80\x9cCheck the\nOrganization\xe2\x80\x99s Password Policy\xe2\x80\x94Set account passwords appropriately. Elements that may be\naddressed in a password policy include the following:\n\n   \xe2\x80\x93 Length\xe2\x80\x94a minimum length for passwords.\n\n   \xe2\x80\x93 Complexity\xe2\x80\x94the mix of characters required. An example is requiring passwords to contain\n     uppercase letters, lowercase letters, and non-alphabetic characters, and to not contain\n     \xe2\x80\x9cdictionary\xe2\x80\x9d words.\n\n   \xe2\x80\x93 Aging\xe2\x80\x94how long a password may remain unchanged. Many policies require users and\n     administrators to change their passwords periodically. In such cases, the frequency should\n     be determined by the enforced length and complexity of the password, the sensitivity of\n     the information protected, and the exposure level of passwords. If aging is required,\n     consideration should be given to enforcing a minimum aging duration to prevent users\n     from rapidly cycling through password changes to clear out their password history and\n     bypass reuse restrictions.\n\n   \xe2\x80\x93 Reuse\xe2\x80\x94whether a password may be reused. Some users try to defeat a password aging\n     requirement by changing the password to one they have used previously. If reuse is\n     prohibited by policy, it is beneficial, if possible, to ensure that users cannot change their\n     passwords by merely appending characters to the beginning or end of their original\n     passwords (e.g., original password was \xe2\x80\x9cmysecret\xe2\x80\x9d that is changed to \xe2\x80\x9c1mysecret\xe2\x80\x9d or\n     \xe2\x80\x9cmysecret1\xe2\x80\x9d).\n\nCause:\n\nA lack of personnel, budget, or time constraints to adequately review and implement appropriate\npassword complexity.\n\n\n\n\n                                               22\n\x0cRisk:\n\nWithout appropriate password complexity settings (especially for IT related personnel), users\nwill have authentication credentials that are weak and susceptible to exploitation. Weak\nauthentication for the IT personnel will raise the risk of spoofing a user (pretending to be\nsomeone else) and access gained can be used for adverse actions.\n\nRecommendation(s):\n\n   12. Ensure that password complexity is set to \xe2\x80\x9cenabled\xe2\x80\x9d and applies to all personnel within\n       the FMC agency. (The OIG estimates the level of effort for this recommendation at 4\n       hours.)\n\nManagement Response:\n\nFinding #10 is acknowledged by the FMC. FMC realizes that by requiring complex password\nusage overall network security is enhanced. Currently FMC\xe2\x80\x99s network requires a 6 character\npassword. FMC is currently in the process of implementing the HSPD-12 PIV two-factor\nauthentication requirements at which point the password complexity requirement will become\nirrelevant. FMC is aware of the risk associated with not requiring complex passwords.\n\nOIG Comments to Management Response:\n\nThe OIG notes that the FMC has implemented a password length requirement that is below\nindustry and NIST-recommended standards. While the implementation of HSPD-12 will make\nthe issue moot, the OIG believes, based on discussions with staff, that the implementation is not\nimminent. Substantial delays often accompany major migration and changes. Management,\nalthough not explicitly stated, also is concerned with the impact on staff having to remember\nlonger, potentially more complex passwords. In a prior recommendation response, management\nstated that it plans to implement major portions of HSPD-12 by September 30, 2012. The OIG\ncontinues to believe that the agency should require all network users to have passwords that meet\ncomplexity requirements such as alpha-numeric, special character, maximum length and\npassword reuse, until HSPD requirements are implemented.\n\n\n\n\n                                               23\n\x0c                 11. Certification and Accreditation\nCondition:\n\nObtained the latest Certification and Accreditation (C&A) packages for the General Support\nSystems (GSS) and Major Applications (MA) and noted the following:\n\n   1. The Network GSS C&A and the SERVCON C&A were not signed or finalized.\n   2. The Network GSS and SERVCON System Security Plans (SSP) were not signed or\n      finalized.\n   3. The SERVCON FIPS-199 Security Categorization resulted in a \xe2\x80\x9cHigh\xe2\x80\x9d categorization\n      and should have been a \xe2\x80\x9cModerate\xe2\x80\x9d categorization.\n   4. The implementation status was not identified correctly. For example, Risk Assessment\n      (RA) RA-5 states that scans are conducted, while inquiry revealed that scans were not\n      conducted.\n   5. The Network GSS C&A package also included a Security Test and Evaluations (STE).\n      The STE results identified vulnerabilities, however there was no evidence that they were\n      remediated or corrected. The SERVCON STE had no results at all leading the OIG to\n      conclude that tests were not performed.\n   6. The Network GSS contained control implementation documentation for the FMCDB\n      system. The FMCDB should be a separate C&A package.\n   7. The SERVCON system meets the requirements for an e-Authentication assessment.\n      However, this assessment was not completed for the SERVCON system.\n\nCriteria:\n\nNIST FIPS-199 Standards for Security Categorization of Federal Information Systems 3.0\nstates \xe2\x80\x9cThe potential impact is HIGH if\xe2\x80\x94\n\n\xe2\x88\x92 The loss of confidentiality, integrity, or availability could be expected to have a severe or\ncatastrophic adverse effect on organizational operations, organizational assets, or individuals.\xe2\x80\x9d\n\nNIST 800-37 Guide to Applying the Risk Management Framework to Federal Information\nSystems section 2.1 states \xe2\x80\x9cAssess the security controls using appropriate assessment\nprocedures to determine the extent to which the controls are implemented correctly, operating as\nintended, and producing the desired outcome with respect to meeting the security requirements\nfor the system.\n\nNIST 800-37 Guide to Applying the Risk Management Framework to Federal Information\nSystems section 2.1 states \xe2\x80\x9cAuthorize information system operation based on a determination\nof the risk to organizational operations and assets, individuals, other organizations, and the\nNation resulting from the operation of the information system and the decision that this risk is\nacceptable.\xe2\x80\x9d\n\n\n\n\n                                               24\n\x0cNIST 800-37 Guide to Applying the Risk Management Framework to Federal Information\nSystems section 2.3.1 states \xe2\x80\x9cIn addition to consideration of direct management control, it may\nalso be helpful for organizations to determine if the information resources being identified as an\ninformation system:\n\n\xe2\x80\xa2 Support the same mission/business objectives or functions and essentially the same operating\ncharacteristics and information security requirements; and\n\n\xe2\x80\xa2 Reside in the same general operating environment (or in the case of a distributed information\nsystem, reside in various locations with similar operating environments).\xe2\x80\x9d\n\nNIST 800-18 Guide for Developing Security Plans for Federal Information Systems section\n3.16 states \xe2\x80\x9cOnce the information system security plan is developed, it is important to\nperiodically assess the plan, review any change in system status, functionality, design, etc., and\nensure that the plan continues to reflect the correct information about the system. This\ndocumentation and its correctness are critical for system certification activity. All plans should\nbe reviewed and updated, if appropriate, at least annually.\xe2\x80\x9d\n\nAccording to OMB Memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies, e-authentication is defined as the process of establishing confidence in user identities\nelectronically presented to an information system. OMB M-04-04 states that e-authentication\n\xe2\x80\x9capplies to all [Federal Electronic] transactions for which authentication is required, regardless\nof the constituency (e.g. individual user, business, or government entity).\xe2\x80\x9d OMB guidance\nprovides assistance to federal agencies in determining the appropriate level of assurance for\nelectronic transactions requiring authentication by establishing and describing four levels of\nidentity assurance, as well as providing strategies for determining which of these levels is\nappropriate for the information system.\n\nIn accordance with OMB M-04-04, all federal agencies must conduct an e-authentication risk\nassessment on those systems that remotely authenticate users over a network for purposes of e-\ngovernment and commerce to determine the required level of authentication assurance for the\ninformation system. As later clarified in OMB M-08-21, FY 2008 Reporting Instructions for\nFISMA and Privacy Data, an e-authentication application is an application that meets the\nfollowing criteria:\n\n   \xe2\x80\xa2     Is web-based;\n   \xe2\x80\xa2     Requires authentication; and\n   \xe2\x80\xa2     Extends beyond the borders of your enterprise (e.g. multi-agency, government-wide, or\n         public facing)\n\nIf all three of these criteria are met, an e-authentication Risk Assessment is required. If any of\nthe above criteria are not met, then an e-authentication Risk Assessment is not required.\n\nCause:\n\nAgency does not have the budget or personnel resources.\n\n                                               25\n\x0cRisk:\n\nWithout properly prepared C&A packages, systems will be categorized incorrectly, and the\nwrong controls will be selected for testing. Furthermore, documents will not be reviewed and\nupdated as technologies and risks change. These will result in a weaker security posture for the\nagency as a whole and could ultimately lead to exploitation of weaknesses.\n\nRecommendation(s):\n\n   13. The Network GSS C&A and the SERVCON C&A should be signed and finalized. (The\n       OIG estimates the level of effort for this recommendation at 4 hours.)\n   14. The Network GSS and SERVCON System Security Plans (SSP) should be signed and\n       finalized. (The OIG estimates the level of effort for this recommendation at 4 hours.)\n   15. The SERVCON FIPS-199 Security Categorization should be a \xe2\x80\x9cModerate\xe2\x80\x9d\n       categorization. (The OIG estimates the level of effort for this recommendation at 4\n       hours.)\n   16. All controls in the SSPs should be reviewed to ensure their implementation status is\n       correct. The estimated level of effort for this recommendation is 40 hours.\n   17. Any weaknesses as a result of STEs should be corrected immediately. (The OIG\n       estimates the level of effort for this recommendation at 20 hours.)\n   18. The FMCDB should be carved out into a separate C&A package. (The OIG estimates the\n       level of effort for this recommendation at 40 hours.)\n   19. The SERVCON system should have an e-Authentication assessment conducted. (The\n       OIG estimates the level of effort for this recommendation at 2 hours.)\n\nManagement Response:\n\nFMC concurs with the findings of the Office of the Inspector General. FMC has remedied\nrecommendations 13 through 16. FMC is in the process of remedying recommendations 17\nthrough 19 and anticipates completion by the 4th quarter of FY 12.\n\nOIG Comments to Management Response:\n\nOIG accepts that recommendation number 15 is closed. The OIG has not received any\ndocumentation to review and test the remaining recommendation responses. This will be tested\nin the next FISMA cycle.\n\n\n        12. Memorandums of Understanding (MOU)\nCondition:\n\nThe FMC has external users from four different agencies that have access to one of its systems.\nOf those four agencies, two of them do not have MOUs between the external agency and FMC\ndescribing the various security requirements when accessing FMC data.\n\n\n                                              26\n\x0cCriteria:\n\nNIST 800-47 Security Guide for Interconnecting Information Technology Systems, section\n3.5 states \xe2\x80\x9cDocument Interconnection Agreement - document an agreement governing the\ninterconnection and the terms under which the organizations will abide by the agreement, based\non the team\xe2\x80\x99s review of all relevant technical, security, and administrative issues (Section 3.4\nabove). Two documents may be developed: an Interconnection Security Agreement (ISA) and an\nMOU/A.\xe2\x80\x9d\n\nCause:\n\nThe cause is primarily because of lack of personnel or time constraints to adequately review\nMOUs and external agency needs in relation to that of the FMC.\n\nRisk:\n\nWithout an MOU between FMC and other agencies where personnel access FMC data, the entry\npoints into the FMC network may be exposed to weaker controls than that set by the FMC,\nresulting in possible exploitation of data. It is very important for the FMC to require external\nagencies to adhere to the same or stronger security controls when accessing FMC data from an\nexternal source.\n\nRecommendation(s):\n\n   20. Develop an MOU for all agencies where external personnel access the FMC data.\n\nManagement Response:\n\nManagement recognizes that the MOUs need updating and will work with other agencies as\nneeded to effect that. Primarily, updating will reflect the changes made by DOD with respect to\nwhich commands need access. Originally, MSC performed that function but it was transferred to\nMilitary Traffic Management Command (MTMC), with whom the Commission has an MOU.\nSubsequently, that function was transferred to U.S. Transportation Command (TRANSCOM),\nwhich subsumed the responsibilities of MTMC. Accordingly, the MOU needs updating to\nreflect that TRANSCOM is the agency with access to the Commission\xe2\x80\x99s system. Anticipated\ncompletion 2nd quarter of FY12.\n\nOIG Comments to Management Response:\n\nFMC will test this in the next FISMA cycle.\n\n\n\n\n                                              27\n\x0c                                                       PRIOR\xc2\xa0YEAR\xc2\xa0FINDINGS\xc2\xa0\n\n      \xc2\xa0\n                                                                                                                Open\xc2\xa0/\xc2\xa0\n#\xc2\xa0                                 POA&M\xc2\xa0                                                Notes\xc2\xa0\n                                                                                                                Closed\xc2\xa0\n\n          Formally\xc2\xa0document\xc2\xa0plans\xc2\xa0for\xc2\xa0Form\xe2\x80\x901\xc2\xa0and\xc2\xa0Form\xe2\x80\x9018\xc2\xa0system\xc2\xa0             Evidence\xc2\xa0was\xc2\xa0obtained\xc2\xa0in\xc2\xa0the\xc2\xa0\n1\xc2\xa0         replacements\xc2\xa0that\xc2\xa0includes,\xc2\xa0but\xc2\xa0is\xc2\xa0not\xc2\xa0limited\xc2\xa0to,\xc2\xa0explicit\xc2\xa0       current\xc2\xa0FISMA\xc2\xa0testing\xc2\xa0that\xc2\xa0       Closed\xc2\xa0\n                    migration\xc2\xa0milestones\xc2\xa0and\xc2\xa0timeliness.\xc2\xa0                         closes\xc2\xa0this\xc2\xa0finding.\xc2\xa0\n\n      Clearly\xc2\xa0identify\xc2\xa0the\xc2\xa0Certifying\xc2\xa0Agency,\xc2\xa0Designated\xc2\xa0Approving\xc2\xa0\n                                                                              This\xc2\xa0was\xc2\xa0closed\xc2\xa0prior\xc2\xa0to\xc2\xa0the\xc2\xa0\n2\xc2\xa0     Authority,\xc2\xa0and\xc2\xa0system\xc2\xa0owner\xc2\xa0in\xc2\xa0the\xc2\xa0security\xc2\xa0plans\xc2\xa0and\xc2\xa0C&A\xc2\xa0                                               Closed\xc2\xa0\n                                                                                  FISMA\xc2\xa02011\xc2\xa0testing.\xc2\xa0\n     documentation\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037\xc2\xa0as\xc2\xa0amended.\xc2\xa0\n\n      Conduct\xc2\xa0complete\xc2\xa0risk\xc2\xa0assessments\xc2\xa0on\xc2\xa0accredited\xc2\xa0FMC\xc2\xa0systems\xc2\xa0\n      (FMC\xc2\xa0Network\xc2\xa0and\xc2\xa0SERVCON).\xc2\xa0Define\xc2\xa0accreditation\xc2\xa0boundaries.\xc2\xa0           This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n3\xc2\xa0                                                                                                              Open\xc2\xa0\n     Ensure\xc2\xa0risk\xc2\xa0assessments\xc2\xa0are\xc2\xa0complete\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0SP\xc2\xa0                Finding\xc2\xa0#11\xc2\xa0\n                          800\xe2\x80\x9030\xc2\xa0as\xc2\xa0amended.\xc2\xa0\n\n      Conduct\xc2\xa0control\xc2\xa0assessments\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0FIPS\xc2\xa0200,\xc2\xa0NIST\xc2\xa0         This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n4\xc2\xa0                                                                                                              Open\xc2\xa0\n         SP\xc2\xa0800\xe2\x80\x9053\xc2\xa0as\xc2\xa0amended,\xc2\xa0and\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037\xc2\xa0as\xc2\xa0amended.\xc2\xa0                       Finding\xc2\xa0#11\xc2\xa0\n\n          Complete\xc2\xa0the\xc2\xa0Authority\xc2\xa0to\xc2\xa0Operate\xc2\xa0letters\xc2\xa0with\xc2\xa0the\xc2\xa0correct\xc2\xa0        This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n5\xc2\xa0                                                                                                              Open\xc2\xa0\n                          information\xc2\xa0and\xc2\xa0titles.\xc2\xa0                                   Finding\xc2\xa0#11\xc2\xa0\n\n          Correct\xc2\xa0the\xc2\xa0e\xe2\x80\x90authentication\xc2\xa0risk\xc2\xa0assessment\xc2\xa0for\xc2\xa0SERVCON.\xc2\xa0         This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n6\xc2\xa0                                                                                                              Open\xc2\xa0\n                   SERVCON\xc2\xa0requires\xc2\xa0Level\xc2\xa04\xc2\xa0authentication.\xc2\xa0                         Finding\xc2\xa0#11\xc2\xa0\n\n     As\xc2\xa0recommended\xc2\xa0in\xc2\xa0FY09,\xc2\xa0develop\xc2\xa0a\xc2\xa0POA&M\xc2\xa0process\xc2\xa0for\xc2\xa0systems\xc2\xa0\n                                                                            This\xc2\xa0year\xe2\x80\x99s\xc2\xa0FISMA\xc2\xa0report\xc2\xa0will\xc2\xa0be\xc2\xa0\n      that\xc2\xa0will\xc2\xa0be\xc2\xa0retained\xc2\xa0complete\xc2\xa0the\xc2\xa0POA&Ms\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0\n7\xc2\xa0                                                                             used\xc2\xa0as\xc2\xa0the\xc2\xa0final\xc2\xa0listing\xc2\xa0of\xc2\xa0    Closed\xc2\xa0\n      current\xc2\xa0OMB\xc2\xa0and\xc2\xa0NIST\xc2\xa0guidance,\xc2\xa0and\xc2\xa0maintain\xc2\xa0evidence\xc2\xa0of\xc2\xa0the\xc2\xa0\n                                                                                 outstanding\xc2\xa0POA&Ms.\xc2\xa0\n                            closure\xc2\xa0of\xc2\xa0each\xc2\xa0item.\xc2\xa0\n\n        Review\xc2\xa0and\xc2\xa0implement\xc2\xa0FMC\'s\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0(and,\xc2\xa0if\xc2\xa0\n     determined\xc2\xa0necessary,\xc2\xa0hardware\xc2\xa0and/or\xc2\xa0software)\xc2\xa0for\xc2\xa0the\xc2\xa0ISSO\xc2\xa0to\xc2\xa0\n         monitor\xc2\xa0the\xc2\xa0actions\xc2\xa0of\xc2\xa0all\xc2\xa0FMC\xc2\xa0Network\xc2\xa0user,\xc2\xa0and\xc2\xa0privileged\xc2\xa0        This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n8\xc2\xa0                                                                                                              Open\xc2\xa0\n      (super\xc2\xa0user)\xc2\xa0accounts\xc2\xa0such\xc2\xa0as\xc2\xa0the\xc2\xa0top\xc2\xa0tier\xc2\xa0Domain\xc2\xa0Administrator\xc2\xa0                Finding\xc2\xa0#8\xc2\xa0\n         Account\xc2\xa0and\xc2\xa0the\xc2\xa0administrator\xc2\xa0accounts\xc2\xa0under\xc2\xa0the\xc2\xa0Domain\xc2\xa0\n                           Administrator\xc2\xa0Group.\xc2\xa0\n\n     The\xc2\xa0FMC\xc2\xa0Network\xc2\xa0Domain\xc2\xa0Administrator\xc2\xa0user\xc2\xa0account\xc2\xa0should\xc2\xa0be\xc2\xa0\n     changed\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0FMC\xc2\xa0password\xc2\xa0policy,\xc2\xa0and\xc2\xa0physically\xc2\xa0\n          secured\xc2\xa0to\xc2\xa0restrict\xc2\xa0its\xc2\xa0access.\xc2\xa0The\xc2\xa0CIO\xc2\xa0or\xc2\xa0his\xc2\xa0designated\xc2\xa0         This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n9\xc2\xa0   representative\xc2\xa0should\xc2\xa0control\xc2\xa0the\xc2\xa0access\xc2\xa0and\xc2\xa0use\xc2\xa0of\xc2\xa0the\xc2\xa0password\xc2\xa0                                          Open\xc2\xa0\n                                                                                      Finding\xc2\xa0#8\xc2\xa0\n      so\xc2\xa0that\xc2\xa0this\xc2\xa0password\xc2\xa0is\xc2\xa0only\xc2\xa0made\xc2\xa0available\xc2\xa0for\xc2\xa0authorized\xc2\xa0and\xc2\xa0\n      documented\xc2\xa0network\xc2\xa0changes\xc2\xa0and/or\xc2\xa0emergencies.\xc2\xa0This\xc2\xa0would\xc2\xa0\n     ensure\xc2\xa0accountability\xc2\xa0and\xc2\xa0avoid\xc2\xa0any\xc2\xa0potential\xc2\xa0for\xc2\xa0a\xc2\xa0single\xc2\xa0point\xc2\xa0of\xc2\xa0\n\n\n                                                                 28\n\x0c                                                                                                                 Open\xc2\xa0/\xc2\xa0\n#\xc2\xa0                                 POA&M\xc2\xa0                                                 Notes\xc2\xa0\n                                                                                                                 Closed\xc2\xa0\n\n      failure.\xc2\xa0The\xc2\xa0process\xc2\xa0for\xc2\xa0handling\xc2\xa0the\xc2\xa0FMC\xc2\xa0Domain\xc2\xa0Administrator\xc2\xa0\n                       account\xc2\xa0should\xc2\xa0be\xc2\xa0documented.\xc2\xa0\n\n         If\xc2\xa0regular\xc2\xa0Domain\xc2\xa0Administrator\xc2\xa0Account\xc2\xa0use\xc2\xa0is\xc2\xa0deemed\xc2\xa0\n      necessary\xc2\xa0without\xc2\xa0employing\xc2\xa0the\xc2\xa0recommended\xc2\xa0procedures\xc2\xa0or\xc2\xa0\n      other\xc2\xa0means\xc2\xa0that\xc2\xa0effectively\xc2\xa0enforces\xc2\xa0user\xc2\xa0accountability,\xc2\xa0FMC\xc2\xa0\n                                 should:\xc2\xa0\n\n                   a.\xc2\xa0Document\xc2\xa0the\xc2\xa0reason\xc2\xa0for\xc2\xa0this\xc2\xa0need.\xc2\xa0\n\n      b.\xc2\xa0Perform\xc2\xa0a\xc2\xa0risk\xc2\xa0assessment\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9030\xc2\xa0         This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n10\xc2\xa0                                                                                                               Open\xc2\xa0\n         to\xc2\xa0determine\xc2\xa0the\xc2\xa0level\xc2\xa0of\xc2\xa0risk\xc2\xa0associated\xc2\xa0with\xc2\xa0this\xc2\xa0practice.\xc2\xa0                Finding\xc2\xa0#8\xc2\xa0\n\n       c.\xc2\xa0Develop\xc2\xa0a\xc2\xa0stand\xe2\x80\x90a\xe2\x80\x90alone\xc2\xa0document,\xc2\xa0or\xc2\xa0update\xc2\xa0the\xc2\xa0FMC\xc2\xa0LAN\xc2\xa0\n            system\xc2\xa0security\xc2\xa0plan\xc2\xa0to\xc2\xa0reflect\xc2\xa0the\xc2\xa0acceptance\xc2\xa0of\xc2\xa0risk.\xc2\xa0\n\n       d.\xc2\xa0The\xc2\xa0designated\xc2\xa0approval\xc2\xa0authority\xc2\xa0for\xc2\xa0the\xc2\xa0FMC\xc2\xa0LAN\xc2\xa0should\xc2\xa0\n      accept\xc2\xa0responsibility\xc2\xa0for\xc2\xa0the\xc2\xa0risk\xc2\xa0associated\xc2\xa0with\xc2\xa0this\xc2\xa0practice\xc2\xa0in\xc2\xa0\n                                   writing.\xc2\xa0\n\n      Develop\xc2\xa0a\xc2\xa0contingency\xc2\xa0plan\xc2\xa0policy\xc2\xa0and\xc2\xa0procedures\xc2\xa0that\xc2\xa0address\xc2\xa0\n      the\xc2\xa0creation,\xc2\xa0review,\xc2\xa0testing,\xc2\xa0and\xc2\xa0maintenance\xc2\xa0of\xc2\xa0contingency\xc2\xa0          This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n11\xc2\xa0                                                                                                               Open\xc2\xa0\n          plans.\xc2\xa0Test\xc2\xa0contingency\xc2\xa0plans\xc2\xa0and\xc2\xa0document\xc2\xa0results\xc2\xa0in\xc2\xa0                       Finding\xc2\xa0#4\xc2\xa0\n           accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034\xc2\xa0and\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053.\xc2\xa0\n\n                                                                                                                  Closed\xc2\xa0\n                                                                              An\xc2\xa0inventory\xc2\xa0of\xc2\xa0systems\xc2\xa0are\xc2\xa0      during\xc2\xa0the\xc2\xa0\n      Complete\xc2\xa0and\xc2\xa0maintain\xc2\xa0an\xc2\xa0official\xc2\xa0system\xc2\xa0inventory\xc2\xa0of\xc2\xa0all\xc2\xa0FMC\xc2\xa0\n12\xc2\xa0                                                                           maintained\xc2\xa0and\xc2\xa0contain\xc2\xa0the\xc2\xa0        FY\xc2\xa02011\xc2\xa0\n                       systems\xc2\xa0and\xc2\xa0interfaces.\xc2\xa0\n                                                                               necessary\xc2\xa0requirements.\xc2\xa0           FISMA\xc2\xa0\n                                                                                                               engagement\xc2\xa0\n\n      Organize\xc2\xa0the\xc2\xa0FMC\xc2\xa0inventory\xc2\xa0in\xc2\xa0a\xc2\xa0hierarchal\xc2\xa0fashion\xc2\xa0(i.e.,\xc2\xa0which\xc2\xa0         This\xc2\xa0was\xc2\xa0closed\xc2\xa0prior\xc2\xa0to\xc2\xa0the\xc2\xa0\n13\xc2\xa0                                                                                                              Closed\xc2\xa0\n                  systems\xc2\xa0are\xc2\xa0subordinate\xc2\xa0to\xc2\xa0the\xc2\xa0GSS).\xc2\xa0                            FISMA\xc2\xa02011\xc2\xa0testing.\xc2\xa0\n\n      Define\xc2\xa0and\xc2\xa0document\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0an\xc2\xa0oversight\xc2\xa0\n        methodology\xc2\xa0of\xc2\xa0external\xc2\xa0information\xc2\xa0system\xc2\xa0services\xc2\xa0with\xc2\xa0                                                 Closed\xc2\xa0\n      contractors.\xc2\xa0At\xc2\xa0the\xc2\xa0defined\xc2\xa0frequency\xc2\xa0for\xc2\xa0this\xc2\xa0process\xc2\xa0(at\xc2\xa0least\xc2\xa0      The\xc2\xa0FMC\xc2\xa0has\xc2\xa0numerous\xc2\xa0policies\xc2\xa0     during\xc2\xa0the\xc2\xa0\n14\xc2\xa0     once\xc2\xa0a\xc2\xa0year),\xc2\xa0FMC\xc2\xa0should\xc2\xa0meet\xc2\xa0with\xc2\xa0the\xc2\xa0contractor\xc2\xa0and,\xc2\xa0if\xc2\xa0           concerning\xc2\xa0system\xc2\xa0services\xc2\xa0and\xc2\xa0     FY\xc2\xa02011\xc2\xa0\n                     necessary,\xc2\xa0create\xc2\xa0findings\xc2\xa0on\xc2\xa0the\xc2\xa0                               contractors.\xc2\xa0               FISMA\xc2\xa0\n                                                                                                               engagement\xc2\xa0\n      POA&M.\xc2\xa0A\xc2\xa0document/memo\xc2\xa0should\xc2\xa0be\xc2\xa0created\xc2\xa0each\xc2\xa0time\xc2\xa0that\xc2\xa0\n                     oversight\xc2\xa0is\xc2\xa0performed.\xc2\xa0\n\n          Monitor\xc2\xa0security\xc2\xa0control\xc2\xa0compliance\xc2\xa0by\xc2\xa0external\xc2\xa0service\xc2\xa0            Access\xc2\xa0to\xc2\xa0the\xc2\xa0FMC\xc2\xa0data\xc2\xa0from\xc2\xa0\n15\xc2\xa0                                                                                                              Closed\xc2\xa0\n        providers\xc2\xa0and\xc2\xa0maintain\xc2\xa0an\xc2\xa0inventory\xc2\xa0of\xc2\xa0the\xc2\xa0following\xc2\xa0items:\xc2\xa0           external\xc2\xa0agencies\xc2\xa0is\xc2\xa0via\xc2\xa0the\xc2\xa0\n                                                                              Internet\xc2\xa0with\xc2\xa0authentication\xc2\xa0\n\n                                                                 29\n\x0c                                                                                                            Open\xc2\xa0/\xc2\xa0\n#\xc2\xa0                                 POA&M\xc2\xa0                                             Notes\xc2\xa0\n                                                                                                            Closed\xc2\xa0\n\n      *\xc2\xa0the\xc2\xa0number\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems\xc2\xa0that\xc2\xa0service\xc2\xa0FMC\xc2\xa0by\xc2\xa0FIPS\xc2\xa0199\xc2\xa0             credentials.\xc2\xa0\n                                 category.\xc2\xa0\xc2\xa0\n\n       *\xc2\xa0The\xc2\xa0number\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems\xc2\xa0that\xc2\xa0service\xc2\xa0FMC\xc2\xa0by\xc2\xa0C&A\xc2\xa0\n                                 status.\xc2\xa0\xc2\xa0\n\n       *\xc2\xa0The\xc2\xa0number\xc2\xa0contractor\xc2\xa0systems\xc2\xa0that\xc2\xa0service\xc2\xa0FMC\xc2\xa0by\xc2\xa0whether\xc2\xa0\n                        annual\xc2\xa0testing\xc2\xa0occurred.\xc2\xa0\n\n      *\xc2\xa0The\xc2\xa0number\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems\xc2\xa0that\xc2\xa0service\xc2\xa0FMC\xc2\xa0by\xc2\xa0whether\xc2\xa0\n                      a\xc2\xa0tested\xc2\xa0contingency\xc2\xa0plan\xc2\xa0exits.\xc2\xa0\n\n        *\xc2\xa0The\xc2\xa0number\xc2\xa0of\xc2\xa0agency\xe2\x80\x90owned\xc2\xa0and\xc2\xa0contractor\xc2\xa0systems\xc2\xa0that\xc2\xa0\n           service\xc2\xa0FMC\xc2\xa0assessed\xc2\xa0at\xc2\xa0e\xe2\x80\x90authentication\xc2\xa0levels\xc2\xa03\xc2\xa0or\xc2\xa04.\xc2\xa0\n\n       Maintain\xc2\xa0Authority\xc2\xa0to\xc2\xa0Operate\xc2\xa0(ATO)\xc2\xa0letters,\xc2\xa0Interconnection\xc2\xa0\n                                                                           This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n16\xc2\xa0   Security\xc2\xa0Agreements\xc2\xa0(ISA),\xc2\xa0and\xc2\xa0Memorandum\xc2\xa0of\xc2\xa0Understanding\xc2\xa0                                            Open\xc2\xa0\n                                                                                   Finding\xc2\xa0#12\xc2\xa0\n           (MOU)\xc2\xa0between\xc2\xa0FMC\xc2\xa0and\xc2\xa0external\xc2\xa0service\xc2\xa0providers.\xc2\xa0\n\n        Complete\xc2\xa0the\xc2\xa0SERVCON\xc2\xa0and\xc2\xa0GSS\xc2\xa0configuration\xc2\xa0management\xc2\xa0\n       documentation\xc2\xa0to\xc2\xa0include\xc2\xa0the\xc2\xa0sections\xc2\xa0missing,\xc2\xa0as\xc2\xa0identified\xc2\xa0in\xc2\xa0\n         the\xc2\xa0condition\xc2\xa0section,\xc2\xa0above.\xc2\xa0Additionally,\xc2\xa0confirm\xc2\xa0that\xc2\xa0the\xc2\xa0\n       SERVCON\xc2\xa0and\xc2\xa0future\xc2\xa0configuration\xc2\xa0management\xc2\xa0plans\xc2\xa0address\xc2\xa0\n          the\xc2\xa0following\xc2\xa0sections,\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053\xc2\xa0\n                                   Revision\xc2\xa03:\xc2\xa0\n                                                                                                              Closed\xc2\xa0\n                \xe2\x80\x90\xc2\xa0security\xc2\xa0control,\xc2\xa0port\xc2\xa0and\xc2\xa0firewall\xc2\xa0settings.\xc2\xa0          Configuration\xc2\xa0Management\xc2\xa0and\xc2\xa0 during\xc2\xa0the\xc2\xa0\n17\xc2\xa0                                                                        other\xc2\xa0related\xc2\xa0documentation\xc2\xa0      FY\xc2\xa02011\xc2\xa0\n                  \xe2\x80\x90\xc2\xa0allowable\xc2\xa0and\xc2\xa0non\xe2\x80\x90allowable\xc2\xa0services.\xc2\xa0                now\xc2\xa0exists\xc2\xa0for\xc2\xa0the\xc2\xa0FMC\xc2\xa0systems.\xc2\xa0    FISMA\xc2\xa0\n                                                                                                           engagement\xc2\xa0\n                  \xe2\x80\x90\xc2\xa0hardware\xc2\xa0and\xc2\xa0software\xc2\xa0requirements.\xc2\xa0\n\n                        \xe2\x80\x90\xc2\xa0patches\xc2\xa0and\xc2\xa0service\xc2\xa0packs.\xc2\xa0\n\n       \xe2\x80\x90\xc2\xa0establish\xc2\xa0system\xc2\xa0and\xc2\xa0application\xc2\xa0baselines\xc2\xa0and\xc2\xa0document\xc2\xa0the.\xc2\xa0\n\n                       deviations\xc2\xa0from\xc2\xa0the\xc2\xa0baselines.\xc2\xa0\n\n      Implement\xc2\xa0the\xc2\xa0NIST\xc2\xa0National\xc2\xa0Checklist\xc2\xa0Program\xc2\xa0for\xc2\xa0FMC\xc2\xa0services\xc2\xa0\n         and\xc2\xa0utilize\xc2\xa0a\xc2\xa0Security\xc2\xa0Content\xc2\xa0Automation\xc2\xa0Protocol\xc2\xa0(SCAP)\xc2\xa0\n                                                                           This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n18\xc2\xa0       scanner\xc2\xa0to\xc2\xa0verify\xc2\xa0NIST\xc2\xa0baseline\xc2\xa0security\xc2\xa0configurations\xc2\xa0for\xc2\xa0                                       Open\xc2\xa0\n                                                                                    Finding\xc2\xa0#1\xc2\xa0\n      servers.\xc2\xa0Additionally,\xc2\xa0document\xc2\xa0any\xc2\xa0deviations\xc2\xa0from\xc2\xa0the\xc2\xa0baseline\xc2\xa0\n                security\xc2\xa0configurations\xc2\xa0along\xc2\xa0with\xc2\xa0the\xc2\xa0reasons.\xc2\xa0\n\n      A11\xe2\x80\x9001A\xc2\xa0(1)\xc2\xa0\xe2\x80\x90\xc2\xa0Develop\xc2\xa0and\xc2\xa0implement\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0to\xc2\xa0      This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n19\xc2\xa0                                                                                                          Open\xc2\xa0\n       require\xc2\xa0privacy\xc2\xa0impact\xc2\xa0assessments\xc2\xa0(PIA)\xc2\xa0to\xc2\xa0be\xc2\xa0completed\xc2\xa0for\xc2\xa0                Finding\xc2\xa0#7\xc2\xa0\n\n\n\n                                                                   30\n\x0c                                                                                                              Open\xc2\xa0/\xc2\xa0\n#\xc2\xa0                                POA&M\xc2\xa0                                                Notes\xc2\xa0\n                                                                                                              Closed\xc2\xa0\n\n                    each\xc2\xa0applicable\xc2\xa0information\xc2\xa0system.\n\n      A11\xe2\x80\x9001A\xc2\xa0(2)\xc2\xa0Remove\xc2\xa0the\xc2\xa0FMC\xe2\x80\x9018\xc2\xa0(Form\xe2\x80\x9018\xc2\xa0PIA\xc2\xa0from\xc2\xa0the\xc2\xa0publicly\xc2\xa0\n       accessible\xc2\xa0web\xc2\xa0that\xc2\xa0incorrectly\xc2\xa0states,\xc2\xa0"A\xc2\xa0risk\xc2\xa0Assessment\xc2\xa0has\xc2\xa0\n                                                                            This\xc2\xa0was\xc2\xa0closed\xc2\xa0prior\xc2\xa0to\xc2\xa0the\xc2\xa0\n20\xc2\xa0      been\xc2\xa0conducted\xc2\xa0and\xc2\xa0the\xc2\xa0appropriate\xc2\xa0controls\xc2\xa0have\xc2\xa0been\xc2\xa0                                               Closed\xc2\xa0\n                                                                                FISMA\xc2\xa02011\xc2\xa0testing.\xc2\xa0\n      implemented"\xc2\xa0as\xc2\xa0no\xc2\xa0authorization\xc2\xa0(formerly\xc2\xa0C&A)\xc2\xa0package\xc2\xa0was\xc2\xa0\n                         created\xc2\xa0for\xc2\xa0this\xc2\xa0system.\xc2\xa0\n\n          A11\xe2\x80\x9001A\xc2\xa0(3)\xc2\xa0\xe2\x80\x90\xc2\xa0Create\xc2\xa0a\xc2\xa0planning\xc2\xa0document\xc2\xa0for\xc2\xa0multifactor\xc2\xa0\n        authentication\xc2\xa0that\xc2\xa0correlates\xc2\xa0with\xc2\xa0the\xc2\xa0IT\xc2\xa0capital\xc2\xa0planning\xc2\xa0and\xc2\xa0\n       investment\xc2\xa0control\xc2\xa0process.\xc2\xa0Utilized\xc2\xa0multifactor\xc2\xa0authentication\xc2\xa0     This\xc2\xa0was\xc2\xa0rolled\xc2\xa0up\xc2\xa0to\xc2\xa0FY2011\xc2\xa0\n21\xc2\xa0                                                                                                           Open\xc2\xa0\n        for\xc2\xa0remote\xc2\xa0authentication\xc2\xa0FMC\xc2\xa0systems\xc2\xa0to\xc2\xa0authenticate\xc2\xa0users\'\xc2\xa0                Finding\xc2\xa0#6\xc2\xa0\n       identities\xc2\xa0for\xc2\xa0Level\xc2\xa03\xc2\xa0and\xc2\xa0Level\xc2\xa04\xc2\xa0users\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0NIST\xc2\xa0\n                                    800\xe2\x80\x9063.\xc2\xa0\n\n      A11\xe2\x80\x9001A\xc2\xa0(4)\xc2\xa0\xe2\x80\x90\xc2\xa0Create\xc2\xa0policies\xc2\xa0and/or\xc2\xa0procedures\xc2\xa0to\xc2\xa0log,\xc2\xa0verify\xc2\xa0and\xc2\xa0\n                                                                            Policies\xc2\xa0are\xc2\xa0now\xc2\xa0in\xc2\xa0place\xc2\xa0that\xc2\xa0\n22\xc2\xa0        reassess\xc2\xa0data\xc2\xa0extracts\xc2\xa0from\xc2\xa0database\xc2\xa0holding\xc2\xa0sensitive\xc2\xa0                                            Closed\xc2\xa0\n                                                                              addresses\xc2\xa0this\xc2\xa0POA&M.\xc2\xa0\n                         information\xc2\xa0after\xc2\xa090\xc2\xa0days.\xc2\xa0\n\n           Evaluate\xc2\xa0FMC\xc2\xa0mobile\xc2\xa0needs\xc2\xa0and\xc2\xa0implement\xc2\xa0FIPS\xc2\xa0140\xe2\x80\x902\xc2\xa0\n23\xc2\xa0    encryption\xc2\xa0on\xc2\xa0mobile\xc2\xa0computers\xc2\xa0and\xc2\xa0portable\xc2\xa0devices\xc2\xa0carrying\xc2\xa0           This\xc2\xa0still\xc2\xa0remains\xc2\xa0open.\xc2\xa0      Open\xc2\xa0\n                              agency\xc2\xa0data.\xc2\xa0\n\n               \xc2\xa0\n\n\n\n\n                                                                31\n\x0c'